Vector
Vector

Choose your topics

Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Antivirus (AV) Advice: Antivirus Configuration Best Practices

Antivirus (AV) Advice: Antivirus Configuration Best Practices
Written by

Ellie Owen

Published on

30 Oct 2015

Antivirus (AV) Advice: Antivirus Configuration Best Practices

 
 

In our post, ‘Antivirus Advice: Scoping an enterprise AV solution,’ we looked at the minimum feature set we’d recommend organisations look for in an antivirus solution. Here, we will dive into best practices when configuring AV solutions.

 

Regardless of the product’s effectiveness, remember that an AV solution should only form part of your overall security control set. Even with the best possible antivirus configuration, there are still several ways attackers can bypass the AV. 

 

However, a best-practice AV configuration is strongly recommended as part of an in-depth defense approach. Here is SureCloud’s recommended checklist for configuring your chosen solution.

 

Checklist for Antivirus Configuration

  1. Deploy Tamper Protection using a strong, complex password. If using user credentials (for example, a Domain User account), configure the password to be long and complex, and ensure that the principle of Least Privilege is followed. This password should not be used for any other system or service.
  2. Limit the number of exclusions per deployment policy, and be precise with file paths. Avoid using wildcards unless absolutely necessary (for example, with a database directory). In addition, too many exclusions will likely cause performance issues with the AV software. Use file hash values where possible when configuring exclusion policies.
  3. Deploy individual policies per server or, at the very least, per server role. (For example, Domain Controllers should have their own policy, as should MS SQL Database Servers).
  4. Enable on-access (or real-time) scanning, also ensuring that heuristic scanning is enabled.
  5. Run a full system scan regularly; don’t simply rely on the ‘on-access’ scanning. This full system scan should also include ‘on-access’ excluded locations. Exclusions are often used by attackers (or penetration testers) as drop-points.
  6. If possible, enable alerting for any detections from scanning and create email groups to notify Support Desk and Security Teams. Some products allow alerts based on whether a system is infected once, re-infected, or if an outbreak occurs.
  7. Configure AV logging with appropriate alerting to the IT team. For example, should the AV be disabled or a virus detected, then a follow-up process should start as soon as possible.
  8. Keeping AV definitions fully up to date is critical. Apply the latest definitions and signatures as soon as possible after release from the AV vendor. Test updates to the AV engine itself before full deployment in case any compatibility issues arise.
  9. Restrict USB and other storage media access if the endpoint software has that functionality. Prevent ‘write’ permissions to reduce the risk of data loss and restrict any ‘read’ permissions. This will prevent external data or files, which could harbour malware, from being brought into the internal network.
  10. Configuring different policies for mobile devices (laptops/tablets/etc) based on location can ensure that a stricter environment is enforced when the user and their device are out of the office. It’s recommended that you increase the scheduled scans so that quick scans are performed every two hours, with at least one full scan per day if an ‘external’ or ‘out-of-office’ policy is in use. Completely restricting USB and external media access is also advised.
  11. Where possible, use different AV solutions throughout the network to increase your chances of detecting and infection early. For example, use a different product on your servers and workstations. Again, consider a different product for email filtering and/or other network entry points.

Antivirus software, much like other products and services, is used more effectively in a defense in-depth approach to security. Due to variances in technology, there will unlikely be a single AV product that can prevent everything, especially due to the techniques that exist for AV evasion.

 

You can analyse any suspicious files, domains, IPs, and URLs over at virustotal.com.

 

Cybersecurity Risk Management with SureCloud

SureCloud offers a set of Cybersecurity testing services, enabling you to identify your networks’ weaknesses and find solutions. To find out more information, take a look at Penetration Testing and Cyber Risk Management more broadly.